FDA whistleblowers say government retaliated with spyware

FDA whistleblowers are suing the government for intercepting e-mails and using …

A group of former FDA scientists who spoke out against the agency's allegedly flawed device-approval process are suing the feds for intercepting Gmail and Yahoo Mail messages by installing spy programs on their work computers. Although the computers were owned by the government, the plaintiffs say they were explicitly granted the right to use them for personal purposes.

Back in January 2009, nine scientists known as the "FDA Nine" anonymously wrote to the leader of then President-elect Barack Obama's transition team "pleading with him to restructure the agency," the Wall Street Journal reported at the time. Among other things, the Food and Drug Administration scientists complained that the agency approved devices in a flawed process that ignored science, and was driven by political lobbying.

A lawsuit filed January 25, 2012 in US District Court in Washington, DC on behalf of six of the scientists (two of whom remain anonymous) says agency officials responded to their whistleblowing by installing spyware on their computers to capture screen shots of private e-mail. The defendants in the suit allegedly stored the e-mails in a file called "FDA 9" with sub-directories related to each of the scientists. The FDA later used the e-mails to file complaints against the scientists with the Office of Inspector General (OIG), claiming that the scientists violated the law by providing information to the media and Congress. The scientists say their actions were protected by whistleblower laws, and the OIG repeatedly declined to take action against them.

None of the plaintiffs still work for the FDA. Two of them, Paul Hardy and Julian Nicholas, are asking for a court order to get their jobs back, with Hardy saying he was fired without cause and Nicholas saying his contract was not renewed by the FDA in retaliation for his whistleblowing. More broadly, the defendants are alleging First and Fourth Amendment violations and asking for a "Declaratory Judgment finding that the United States cannot convert the private e-mail and electronic communications of federal employees without due process of law and just compensation and cannot target whistleblowers for searches and seizures without a search warrant or validly issued subpoena that is narrowly tailored and limits the scope of any such search within valid constitutional parameters."

The defendants in the case include the FDA itself, the Public Health Service, the Department of Health and Human Services, the US government as a whole, Surgeon General Regina Benjamin, Secretary of Health and Human Services Kathleen Sebelius, FDA commissioner Margaret Hamburg, a variety of lower-ranking officials, and 99 unnamed IT employees, who presumably helped facilitate the e-mail gathering.

It stands to reason that workers should be wary of performing personal tasks on employer-owned computers. Monitoring employee computers is generally a trivial matter with modern technology, although the alleged actions of the FDA go beyond what an employee might normally expect, at least if the employees have no cause to think their employers have reason to watch their personal communications. The defendants, however, say in the lawsuit that the FDA's actions not only have a chilling effect on future whistleblowers, but also violated the understanding the agency had with the workers to whom the equipment was provided.

The "plaintiffs were permitted to access private, password protected Private E-mail Accounts from laptops and computers provided by FDA, but for which explicit permission was granted to use for personal purposes," the lawsuit states. "Defendants used this prolonged period of surveillance in an attempt to obtain information that could discredit the whistleblowers or be used by the United States to personally destroy the careers and reputations of distinguished medical doctors and other professionals. … When Defendants were unable to find evidence that the Plaintiffs had violated laws, they reviewed the contents of the secretly intercepted e-mails and recommended disciplinary action based on the content and viewpoint expressed in the intercepted e-mails."

37 Reader Comments

Good for them, I truly hope they get somewhere with this. It's frightening to know how much lobbying affects things that are supposed to be in place to protect us. Our government is sadly going down the shitter and being bought-out by private interests.

That used to be the tinfoil hat thought process, but its so apparent its becoming common knowledge. That in itself is scary.

I assume there's spyware/Big Brother type stuff on everything at work and plan accordingly. Wonder how long it is until your employer, especially if you work for Uncle, can say they need to monitor the smartphone you bring to work.

Much as I agree with their whistleblowing, it had already been well-established by 2009 that, informal agreements notwithstanding, you have no reasonable expectation of privacy on equipment provided (and owned by) your employer. Sorry guys, that boat sailed a long time ago.

Getting fired or otherwise discriminated against for whistl-blowing? That's an entirely different matter. Hope that angle works for them.

Much as I agree with their whistleblowing, it had already been well-established by 2009 that, informal agreements notwithstanding, you have no reasonable expectation of privacy on equipment provided (and owned by) your employer. Sorry guys, that boat sailed a long time ago.

Getting fired or otherwise discriminated against for whistl-blowing? That's an entirely different matter. Hope that angle works for them.

I agree. Slim chance of winning on that count. But maybe it's one of those things where you sue for everything just to see what sticks.

Much as I agree with their whistleblowing, it had already been well-established by 2009 that, informal agreements notwithstanding, you have no reasonable expectation of privacy on equipment provided (and owned by) your employer. Sorry guys, that boat sailed a long time ago.

Getting fired or otherwise discriminated against for whistl-blowing? That's an entirely different matter. Hope that angle works for them.

not necessarily. Depends on your employers computer terms of service. If the employee rules state that email is private and that you must have a warrant to search someone's email, then its private. While the law allows every company to set their own rules, once set they have to abide by them. So these guys may very well have a case. I know email where I work is confidential, and we are required to have a confidentiality notice in our signatures.

Isn't the whole federal government covered by "sovereign immunity"...or am I missing something....

US Federal Government has chosen to waive sovereign immunity in some kinds of civil cases involving contract law and liability for wrongful actions of their employees. They retain immunity to criminal prosecution (as an organization, not as individuals), although lately US Presidents have been pushing the boundaries where government related individual criminal liability is concerned by trying to give the finger to congressional inquiries.

I'm with you there. Even if they had an "understanding" that they could use the work computers for personal purposes, were I in their place, I would not. I'd wear a tinfoil hat in the neighborhood of *government* computers, no matter *what* the "understanding". I might even be wary of using their Wi-Fi connection with *my own* computing device. Feds is feds.

If an employer provides you with equipment, and states that it could be used for personal purposes, then you would have a reasonable expectation that your personal use would not be spied upon.

You bet they can sue.

Depends on the terms they grant the use under. Mine's summarize as "personal use within reason is allowed but we reserve the right to snoop at will"; and excepting whitelisted healthcare/banking sites, the SSL certs our browser gets are all from sslproxy.companyname.com not the company that the sites we're visiting are using.

US gov't owned computers? They can put whatever the hell they want on 'em.

Yes they can, but to use sypware to gather information to be used to fire people would require that either ALL computers in the group/department had similar software and monitoring, or that they have information, OTHER THAN A WHISTLEBLOWING INSTANCE, that indicates that the people being monitored were doing something improper. You DO NOT target whistleblowers, and keep your job. This is part of the whistleblower protection.

In this instance, I believe it's likely that the FDA et. al. will lose.

1) No one should expect privacy on work-supplied communication technology, particularly when said employer is large.

2) The FDA nine were not fired. My understanding is that most, like Robert Smith, were merely contracted employees whose contracts were not renewed upon expiration.

3) The FDA nine's core complaint was not that "lobbying" was determining the outcome of medical device reviews, but rather that the PDUFA and MDUFMA user fees gave companies undue influence over the politically-appointed leadership at the agency (a common complaint of the user fee system). These leaders were then in turn influencing the scientific reviewers to include evidence the scientists did not want to include in their product reviews. When you examine the cases the FDA nine were most concerned with, CT Colonography was one of the big ones alongside Plan B. Of course, the reviewer who disagreed with clearance of CT Colonography also happens to be a gastroenterologist -- a profession that relies on the continued proliferation of oldschool optical colonoscopy, despite better/newer alternatives like CT Colonography.

Having known Robert Smith (who is an academic radiologist) and the gastroenterologist mentioned above, these folks were not "whistleblowers" so much as "attention seekers" hoping to leverage the U.S. transition from the Bush Administration to the Obama Administration as a means to make a name for themselves and perhaps get big political appointments. These guys were not honorable by any stretch of the imagination.

I think the real crux of the matter here is that they were not swept up by generic spyware but via spyware installed specifically upon their computer due to the belief that they were whistleblowers, which I think IS a violation of their rights because the activity in question was legally protected.

Had the FDA simply instituted the spyware globally I think it would have been fine, especially had they announced it.

Quote:

I assume there's spyware/Big Brother type stuff on everything at work and plan accordingly. Wonder how long it is until your employer, especially if you work for Uncle, can say they need to monitor the smartphone you bring to work.

They can't. They can, however, prohibit you from bringing it to work - I have had a job where I was not allowed to bring any device capable of taking pictures, including a cel phone, into some areas.

Quote:

Isn't the whole federal government covered by "sovereign immunity"...or am I missing something....

Sovereign immunity does not cover certain things. This would not be covered.

IMHO whistleblower laws should guarantee 100% safety for any public or private sector employee when they are explicitly reaching out to any senator or representative regardless of the whistleblowers state of residence. This should especially apply to members of the "praetorian class" (e.g. military, the CIA, the FBI and the NSA.)

Who ordered this to be done? How are they still able to skulk around in the shadows? Time to cast off THEIR cloak of secrecy... The only just outcome here would be for those spooks to receive the outcome they clearly intended for the victims of their prowling/ spying campaign...

This is not allowed because it is retaliation for whisteblowing. That is, if FDA spied on ALL employees it would be OK, but spying on these scientists specifically is not (because it's retaliation for whistleblowing).

Isn't the whole federal government covered by "sovereign immunity"...or am I missing something....

There are exceptions.

A prominent one is the precedent established by the US Supreme Court in the 1972 case _Bivens v. Six Unknown Named Agents_. Basically, this 1971 Supreme Court ruling in _Bivens_ says that sovereign immunity is no defense for violation of your constitutional rights; you can seek monetary damages directly from the perpetrators.

The most recent _Bivens_ case is still underway against TSA; see <http://reason.com/archives/2011/08/19/airport-security-vs-the-consti>.

It is my considered that our country is in need of more _Bivens_ suits.

Isn't the whole federal government covered by "sovereign immunity"...or am I missing something....

Congress granted a reasonably broad waiver to sovereign immunity with the Federal Tort Claims Act. I believe also that courts have generally said that sovereign immunity does not apply when it's a case of an individual(s) within the government acting against the law or their job*. Whistleblower laws that protect against retaliation will thus potentially modify every single claim of sovereign immunity or "they were work computers" that comes up, or at least that's what the plaintiffs will claim. IANAL, but it seems like there's going to be a lot of finer points argued in this case unless someone higher up just steps in and settles it outside of court.

*- i.e. supervisors spying on employees in retaliation for whistleblowing would not be within their job description and/or the law will be what is argued.

Much as I agree with their whistleblowing, it had already been well-established by 2009 that, informal agreements notwithstanding, you have no reasonable expectation of privacy on equipment provided (and owned by) your employer. Sorry guys, that boat sailed a long time ago.

Getting fired or otherwise discriminated against for whistl-blowing? That's an entirely different matter. Hope that angle works for them.

not necessarily. Depends on your employers computer terms of service. If the employee rules state that email is private and that you must have a warrant to search someone's email, then its private. While the law allows every company to set their own rules, once set they have to abide by them. So these guys may very well have a case. I know email where I work is confidential, and we are required to have a confidentiality notice in our signatures.

As a 30 year Federal employee, it's stated on Gov't computer and your telephone, on your computer screen and is disseminated during the mandatory IT training held every year, that use of the Government owned computers and telephones constitutes permission to monitor any electronic communications including messages, emails and conversations. As a matter of fact, most emails sent on Gov't computers (short of Secret and TOP Secret communications) fall under the FOI act and can be accessed under those laws by anyone. This includes using a government computer to check your personal (gmail, etc) accounts, buy stuff off eBay, you name it. It may be in small print but every Government employee I know is well aware of this. That being said, I know a lot of people who still do stupid things with their machines, send inappropriate emails and such, but I tell my people once you hit that "send" button on a Gov't computer, consider it being read by everyone and anyone within the office, the Department or the big brother bureaucracy.

Now the Whistle-blower protections in place under Federal law are a different story and if the FDA retaliated because of that, then they're in trouble. But I highly doubt the "spy-ware" angle will fly...

Of course, the reviewer who disagreed with clearance of CT Colonography also happens to be a gastroenterologist -- a profession that relies on the continued proliferation of oldschool optical colonoscopy, despite better/newer alternatives like CT Colonography.

"Better" is relative here. CT scans are known to increase risk of cancer, and new studies find the risk to be much higher than previously thought.

Much as I agree with their whistleblowing, it had already been well-established by 2009 that, informal agreements notwithstanding, you have no reasonable expectation of privacy on equipment provided (and owned by) your employer. Sorry guys, that boat sailed a long time ago.

Getting fired or otherwise discriminated against for whistl-blowing? That's an entirely different matter. Hope that angle works for them.

not necessarily. Depends on your employers computer terms of service. If the employee rules state that email is private and that you must have a warrant to search someone's email, then its private. While the law allows every company to set their own rules, once set they have to abide by them. So these guys may very well have a case. I know email where I work is confidential, and we are required to have a confidentiality notice in our signatures.

As a 30 year Federal employee, it's stated on Gov't computer and your telephone, on your computer screen and is disseminated during the mandatory IT training held every year, that use of the Government owned computers and telephones constitutes permission to monitor any electronic communications including messages, emails and conversations. As a matter of fact, most emails sent on Gov't computers (short of Secret and TOP Secret communications) fall under the FOI act and can be accessed under those laws by anyone. This includes using a government computer to check your personal (gmail, etc) accounts, buy stuff off eBay, you name it. It may be in small print but every Government employee I know is well aware of this. That being said, I know a lot of people who still do stupid things with their machines, send inappropriate emails and such, but I tell my people once you hit that "send" button on a Gov't computer, consider it being read by everyone and anyone within the office, the Department or the big brother bureaucracy.

Now the Whistle-blower protections in place under Federal law are a different story and if the FDA retaliated because of that, then they're in trouble. But I highly doubt the "spy-ware" angle will fly...

Slippery slope. Where does one draw the line? Companies I've worked for in the past (IBM, Intel, HP, others, etc) supplied various equipment to the employees. Often, laptops - for company work. However, we could use them as personal devices - a decent compromise when I'm traveling for 12 straight days for Intel, in hotels- I can use my company laptop to play solitaire (not a "company sanctioned" past time!) or freecell, or browse the web.

Sure, I could be hard-core and say "wow- I shouldn't use the company laptop, on my own time while traveling for THEIR business, to view 'lawmower-donkey-porn.com' " -- but, where does the line end? When it is my time, traveling for their work, using equipment loaned to me (but again, outside of work)?

Jump back a decade or so - company cars. What if you used the company car, which you were allowed to use for your own purposes, to buy liquor? Hit up a strip club? Pick up a hooker? Where can, or should, they draw the line?

Isnt asking the US government to rule against the big business owned FDA a bit like asking the counter staff at macdonalds to sack the manager?

Dont these people realise that not only is the FDA run and owned by big business but the government that oversees them is bought and paid for long before anyone enters into office via the campaign contributions prepayment scheme?

You only have to look at how many former lobbyists and major corporation staffers Obama and every president before him puts into key government positions once theyre elected to see exactly who owns them and the same applies to practically every elected official in every country so this isnt just a dig at the US

I think dictatorships probably have more integrity nowadays than democratic governments, which is probably why the west is spending so much money on trying to convert dictatorships over to the democratic model because big businesses cant exploit them quite so easily without elected officials to co opt with pay offs

US government computers, hmm, legal reality would be that US government computers are more bound by the US constitution than any other computers on the face of the planet. So freedom of speech should be a guaranteed as well as the requirements for warrants to access private data and communications.

As a fed, each user's machine is set up with a splash screen at logon, warning that it's government provided equipment and nothing on it can be considered private. This is a fed-wide requirement. Just because they click past the warning without bothering to read it, doesn't negate the fact that it's there.

**WARNING**WARNING**WARNING**WARNING**WARNING**WARNING**This is an [agency] computer system. [Agency] systems including all related networks and network devices [specifically including Internet access] are provided for the purpose of official U.S. Government information. Unauthorized access or use of this computer system may subject violators to criminal. civil, and/or administrative action.

All information on this computer may be intercepted, recorded, read, copied, and disclosed by and to authorized personnel for official purposes including criminal investigations. Access or use of this computer system by any person whether authorized or unauthorized constitutes consent to these terms.**WARNING**WARNING**WARNING**WARNING**WARNING**WARNING**

So, while agency policy allows for "limited personal use", this required splash screen clearly warns it may not be confidential. Given the required link by the FBI to ISP traffic, NO traffic can be assumed confidential unless first strongly encrypted and sent as an attachment. It's the "limited, personal use" clause that is being bandied about as "explicit permission". It doesn't negate the splash screen and annual IT security briefing warnings about ALL traffic being monitored. I'm relatively confident that no spyware had to be installed on the machines as all traffic over the wire is captured and available for review as needed (anti-virus, sensitive traffic to questionable destinations, etc.). I work with these types all the time. They ignore IT until it bites them in the behind then act like no one ever told them.

Jump back a decade or so - company cars. What if you used the company car, which you were allowed to use for your own purposes, to buy liquor? Hit up a strip club? Pick up a hooker? Where can, or should, they draw the line?

if it has a company sign on the side, then anything that reflects poorly on the company should be reasonably considered inappropriate. since this is about a federal agency, then the GSA tags would apply and, as with many things different with the fed, be more far reaching as the "giving the appearance of impropriety" aspect kicks in. just like they won't reimburse the cost of alcohol with a meal, seeing a gsa-tagged car in a strip club parking lot may illicit a complaint that would have to be answered.

there was a time when a corporate VP was fired because his wife was caught shoplifting. it reflected on the company and out he went (OG&E if anyone is curious).